[alias alias <alias_yeah@xxxxxxxxx>]

Hi.

 

First of all, let me just thank you for your reply.

Second, I can't use SSL (and no I have nothing against it, on the contrary) because the software architecht of this solution said so...I think its due to commercial reasons (whatever that means).

Third, yes I'm implementing this client-side encryption using a PKI infraestructure, but the encryption algorithm code is not within the _javascript_.

FYI, the client enters user and password and then he clicks the submit button, which calls our web server, via AJAX, a dynamic function that is loaded into a _javascript_ function already in the client.side in runtime. This way the function executes only once and the encryption algorithm code is never shown to the client, only the public key.

The code seems to be working properly, but I wanted to make sure it is, by sniffing the packets when they arrive to the web site. If they came in encrypted then it's all fine, if not...well, I have a problem then! :D
I wanted to use ethereal on my machine and inspect the packets on the pre-production web-server which is on a remote host. Can I use ethereal to do this? If so, how can I do it?

Thorsten Fischer <thorsten@xxxxxxxxxx> wrote:

> This is not related to using etheral, but I need to say it :) Granted,
> my reply is off-topic, and maybe a little rant-ish.
>
> alias alias wrote:
> > My problem is that I'm trying to encrypt the user data on the client to make sure
> > that the user data travels the internet encrypted without using SSL or
> any other
> > SSL-like mechanism. I think the code I've developed is working [...]
>
> What is wrong with using SSL? Browsers and servers support it, and it works.
>
> If you encrypt on the client side using your own code, then the
>  client
> must know the algorithm and more important: the key. If they are not
> built into the client, both need to traverse the network in the clear
> since there is obviously no encryption there in the first place.
>
> But if I can sniff that from the wire then I will be able to decrypt the
> traffic that I sniff afterwards, since I know the algorithm and the key.
> If I cannot sniff it, then there is no reason to encrypt it in the
> first place.
>
> It might be that you implemented public key cryptography, but I doubt
> that you did, because then you could just as well have used SSL.
>
> Also, proper cryptography is difficult to implement properly. I have
> seen many 'encryption' mechanisms passed around in _javascript_ and the
> like, along with the 'secret' keys and nonces and what not. It never works.
>
>
> Cheers
>
> t
>
> -- 
> Thorsten Fischer
> Information Security Consultant
> IRM PLC
>
> Tel: +44 (0)20 7808 6420
> Fax: +44 (0)20 7808
>  6421
>
> Information Risk Management Plc
> 8th floor, Kings Building
> Smith Square
> London
> SW1P 3JJ
>
> www.irmplc.com
>
> The information contained in this email is privileged and confidential
> and is intended only for the use of the addressee. Unauthorised
> disclosure, copying or distribution of the contents is strictly
> prohibited. Please reply immediately if you receive this email in error
> and then immediately delete it from your system.
>
> Where relevant, any quotation contained within this email is exclusive
> of VAT at the current rate and valid for 30 days from the date of this
> email. Information Risk Management Plc (IRM) does not authorise the
> creation of contracts on its behalf by email. All information contained
> within this email and its attachments are subject to IRM's standard
> terms and conditions, a copy of which is available upon request.
>
> All attachments have been scanned for viruses using regularly
>  updated
> programs. IRM cannot accept liability for any damage you incur as a
> result of virus infection and we advise that you should carry out such
> virus and other checks as you consider appropriate.
>
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users

---

 Yahoo! Music Unlimited - Access over 1 million songs. Try it free.